Presentation is loading. Please wait.

Presentation is loading. Please wait.

Complimentary role of CAE and CRO in the provision of combined assurance IMFO Audit & Risk Indaba 28-29 June 2012 Nathi Mhlongo-eThekwini Municipality.

Similar presentations

Presentation on theme: "Complimentary role of CAE and CRO in the provision of combined assurance IMFO Audit & Risk Indaba 28-29 June 2012 Nathi Mhlongo-eThekwini Municipality."— Presentation transcript:

1 Complimentary role of CAE and CRO in the provision of combined assurance IMFO Audit & Risk Indaba 28-29 June 2012 Nathi Mhlongo-eThekwini Municipality 1

2 Discussion topics  King 111 on combined assurance-  Where is it risky? Are we focusing where it matters?---- Source PwC statistical information  Critical areas of convergence for CAE and CRO  Requirements for effective cooperation between CAE and CRO  Benefits of combined assurance 2

3 King 111……… Management External Assurance Provide Internal Assurance Provides 3 3.5 The Audit Committee should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance services Combined assurance

4 Combined assurance model 4 Council and Key Committees Audit and Risk Committee Risk Management Committee GOVERNANCE OVERSIGHT MANAGEMENT ASSURANCE First Line of Defence Management of Operations Second Line of Defence Chief Risk Office Ethics and Compliance Ombudsperson Legal Third Line of Defence Internal and External Auditors Municipal Manager and Key Committees

5 Is there convergence between IA and ERM? Internal Audit Risk Management 5

6 6 Chief Risk Officer 1 Provide overall leadership, vision and direction for ERM 2 Establish an integrated framework for all risks in the organization 3 Develop risk management policies incl quantification of management’s risk appetite 4 Implement a set of risk indicators and reports incl incidents and losses 5 Communicate the organizations risk profile to stakeholders 6 Develop analytical, systems and data management capabilities to support the risk management program

7 7 Chief Audit Executive 1 Evaluate the ERM methodologies and processes to ensure they are working as intended 2 Reviews and provides assurance that the risks of the organization are being systematically identified, evaluated and appropriately managed 3 Monitor and evaluate the adequacy and effectiveness of the risk mitigation responses designed by management. 4 Reporting to the Audit Committee on the effectiveness of the ERM process, procedures and internal controls.

8 King 3 on risk management and combined assurance  The board should ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks King 3 on IA and combined assurance  The board should receive assurance regarding the effectiveness of the risk management process 8

9 Can CAE and CRO collaborate? What does ERM mean? How do both functions fit into the equation? How can internal audit assist and yet independently evaluate risk management activities? 9

10 ERM Definitions RIMS: ERM is a strategic business discipline that supports achievement of an organization’s objectives by addressing the full spectrum of its risks and managing a combined impact of those risks as a interrelated risk portfolio The IIA: ERM is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of objectives. Source: The IIA and RIMS 10

11 Common areas of convergence ISO 31000:2009 IIA International Professional Practice Framework COSO ERM framework Open Compliance and Ethics Group’s Red Book RIMS and IIA 2012 joint report eThekwini Municipality - EXCO ERM11

12 Managing risk makes sense……….

13 PwC Risks that are generally not perceived as well managed How well is risk being managed? 13 Well managed June 2012 PwC 2012 State of the IA Profession Study

14 PwC Stakeholders value internal audit’s contribution… and want more Which risks are receiving too little attention from internal audit? 14 June 2012PwC State of the IA Profession Study

15 Lets reflect…………Can IA provide assurance…. 15

16 The fact of the matter is……… Are risks adequately covered in the risk profile? Is risk information simplified or excessively cluttered? Is risk information credible? Expertise of the CRO Stakeholder consensus on risks raised by management? CAE robust dialogue with CRO around ERM? AG participation in dialogue? Is ERM effective? Is IA specific skill available? Does IA have enough budget? 16

17 Results of Ineffective Risk Management  Poor identification of risks  Breakdown in internal control that could prevent the organization from achieving its objective  Reactive responses to potential risks, rather than proactive  Changing/ new risks are not adequately identified, controlled and managed  Inability to leverage on internal audit expertise e.g root cause analysis, impact assessment etc  Inability to leverage on ERM expertise 17

18 Expectations from CAE Timely recommendations Risk impact insight Quality of recommendations to improve business performance 18

19 Critical area of convergence for CAE/CRO Root cause and impact assessments-IA Controls design and implementation consulting- ERM Action planning and real time assurance on implementation according to plan-IA/ERM Combined assurance Effective and efficient communication 19

20 An effective combined assurance framework To ensure success, the organisation requires: – A common risk language – Enabling technology – Clearly defined roles of all assurance providers – Approved combined assurance policy to ensure commitment to cooperate – A communication plan – encompassing ongoing communication – Involvement from senior leadership – “tone at the top” – Continued coordination, reporting and communication – Provision of necessary and appropriate training 20

21 Risk Register 21 # Original Risk name Common Risk name Background to risk Consequence of the riskImpactLikelyhood Inherent risk exposure Current controls Perceived Control Effectiveness Description Perceived Control Effectiveness % Residual risk exposureRisk Owner Actions to improve management of the risk Action owner Due date 1 0 0 2 0 0 3 0 0

22 Acknowledgements King 111 PwC 2012 State of Internal Audit Study EThekwini Municipality ERM framework RIMS and IIA 2012 Joint Report eThekwini Municipality - EXCO ERM22

23 “Siyabonga kakhulu” ????????????????? eThekwini Municipality - EXCO ERM23

Download ppt "Complimentary role of CAE and CRO in the provision of combined assurance IMFO Audit & Risk Indaba 28-29 June 2012 Nathi Mhlongo-eThekwini Municipality."

Similar presentations

Ads by Google